|
发表于 2006-6-11 10:29:44
|
显示全部楼层
EncryptPE V2.2005314 主程序脱壳
1.寻找OEP和DUMP
用OD载入,EP如下:
EncryptP.> 60 PUSHAD
004F3001 9C PUSHFD
004F3002 64:FF35 000>PUSH DWORD PTR FS:[0]
004F3009 E8 7A010000 CALL EncryptP.004F3188 ; F7进入
004F300E 0000 ADD BYTE PTR DS:[EAX],AL
004F3010 0000 ADD BYTE PTR DS:[EAX],AL
下断点BP LoadLibraryA,拦截后堆栈内容如下:
0012FF94 004F328F /CALL to LoadLibraryA from EncryptP.004F328D
0012FF98 004F305A \FileName = "C:\WINDOWS\system32\V22005314.EPE"
再分析一下V22005314.EPE是用UPX加的壳,OEP如下:
711E57E0 55 PUSH EBP
711E57E1 8BEC MOV EBP,ESP
711E57E3 83C4 C4 ADD ESP,-3C
711E57E6 B8 B0551E71 MOV EAX,V2200531.711E55B0
711E57EB E8 8414F4FF CALL V2200531.71126C74 ; F7进入
711E57F0 E8 9BEEF3FF CALL V2200531.71124690
下断BP SetWindowsHookExA,拦截后堆栈内容如下:
0012F7F0 711ABA0E /CALL to SetWindowsHookExA from V2200531.711ABA09
0012F7F4 00000004 |HookType = WH_CALLWNDPROC
0012F7F8 711ADA54 |Hookproc = V2200531.711ADA54
0012F7FC 71120000 |hModule = 71120000 (V22005314)
0012F800 00000000 \ThreadID = 0
设置一个远程系统钩子。此时按F9,当钩子插入OD进程,OD就挂了。再次加载程序,由于钩子已插入Explorer.exe中,程序就跳过SetWindowsHookExA的过程,此时下断BP SendMessage,拦截后堆栈内容如下:
0012FD44 711E3D96 /CALL to SendMessageA from V2200531.711E3D91
0012FD48 00030060 |hWnd = 30060(Explorer.exe的子窗口句柄)
0012FD4C 0000C11F |Message = MSG(C11F)
0012FD50 00001BC8 |wParam = 1BC8
0012FD54 00000001 \lParam = 1
此时用OD附加于Explorer.exe,下断点HE CreateProcessA,F9运行EncryptPE.exe,拦截后代码如下:
711AFBC4 A1 10E71F71 MOV EAX,DWORD PTR DS:[711FE710]
711AFBC9 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711AFBCC 0305 10E71F>ADD EAX,DWORD PTR DS:[711FE710]
711AFBD2 66:8378 06 >CMP WORD PTR DS:[EAX+6],3 ; 比较NumberOfSections是否为3
711AFBD7 74 05 JE SHORT V2200531.711AFBDE
711AFBD9 E8 B6C9FFFF CALL V2200531.711AC594
711AFBDE BE 02000100 MOV ESI,10002 ; DBG_CONTINUE
711AFBE3 C785 4CFEFF>MOV DWORD PTR SS:[EBP-1B4],10007
711AFBED 8B85 18FFFF>MOV EAX,DWORD PTR SS:[EBP-E8]
711AFBF3 83F8 08 CMP EAX,8 ; DebugEventCode
711AFBF6 0F87 7B0C00>JA V2200531.711B0877
711AFBFC FF2485 03FC>JMP NEAR DWORD PTR DS:[EAX*4+711AFC03]; Switch(DebugEventCode)
711AFC27 8B85 2CFFFF>MOV EAX,DWORD PTR SS:[EBP-D4] ; Case 3
711AFC2D 33D2 XOR EDX,EDX
711AFC2F 52 PUSH EDX
711AFC30 50 PUSH EAX
711AFC31 8D85 40FEFF>LEA EAX,DWORD PTR SS:[EBP-1C0]
711AFC37 E8 8894F7FF CALL V2200531.711290C4
711AFC3C 8B85 40FEFF>MOV EAX,DWORD PTR SS:[EBP-1C0]
711AFC42 50 PUSH EAX
711AFC43 8B85 20FFFF>MOV EAX,DWORD PTR SS:[EBP-E0]
711AFC49 33D2 XOR EDX,EDX
711AFC4B 52 PUSH EDX
711AFC4C 50 PUSH EAX
711AFC4D 8D85 3CFEFF>LEA EAX,DWORD PTR SS:[EBP-1C4]
711AFC53 E8 6C94F7FF CALL V2200531.711290C4
711AFC58 8B95 3CFEFF>MOV EDX,DWORD PTR SS:[EBP-1C4]
711AFC5E 8BC3 MOV EAX,EBX
711AFC60 59 POP ECX
711AFC61 E8 1EE6F8FF CALL V2200531.7113E284
711AFC66 8B85 24FFFF>MOV EAX,DWORD PTR SS:[EBP-DC]
711AFC6C 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
711AFC6F E9 030C0000 JMP V2200531.711B0877
711AFC74 8B85 1CFFFF>MOV EAX,DWORD PTR SS:[EBP-E4] ; Caes 5
711AFC7A 3B45 80 CMP EAX,DWORD PTR SS:[EBP-80]
711AFC7D 0F84 1E0C00>JE V2200531.711B08A1
711AFC83 E9 EF0B0000 JMP V2200531.711B0877
711AFC88 8B85 24FFFF>MOV EAX,DWORD PTR SS:[EBP-DC] ; Case 2
711AFC8E 33D2 XOR EDX,EDX
711AFC90 52 PUSH EDX
711AFC91 50 PUSH EAX
711AFC92 8D85 38FEFF>LEA EAX,DWORD PTR SS:[EBP-1C8]
711AFC98 E8 2794F7FF CALL V2200531.711290C4
711AFC9D 8B85 38FEFF>MOV EAX,DWORD PTR SS:[EBP-1C8]
711AFCA3 50 PUSH EAX
711AFCA4 8B85 20FFFF>MOV EAX,DWORD PTR SS:[EBP-E0]
711AFCAA 33D2 XOR EDX,EDX
711AFCAC 52 PUSH EDX
711AFCAD 50 PUSH EAX
711AFCAE 8D85 34FEFF>LEA EAX,DWORD PTR SS:[EBP-1CC]
711AFCB4 E8 0B94F7FF CALL V2200531.711290C4
711AFCB9 8B95 34FEFF>MOV EDX,DWORD PTR SS:[EBP-1CC]
711AFCBF 8BC3 MOV EAX,EBX
711AFCC1 59 POP ECX
711AFCC2 E8 BDE5F8FF CALL V2200531.7113E284
711AFCC7 E9 AB0B0000 JMP V2200531.711B0877
711AFCCC 8B85 20FFFF>MOV EAX,DWORD PTR SS:[EBP-E0] ; Case 4
711AFCD2 33D2 XOR EDX,EDX
711AFCD4 52 PUSH EDX
711AFCD5 50 PUSH EAX
711AFCD6 8D85 30FEFF>LEA EAX,DWORD PTR SS:[EBP-1D0]
711AFCDC E8 E393F7FF CALL V2200531.711290C4
711AFCE1 8B95 30FEFF>MOV EDX,DWORD PTR SS:[EBP-1D0]
711AFCE7 33C9 XOR ECX,ECX
711AFCE9 8BC3 MOV EAX,EBX
711AFCEB E8 94E5F8FF CALL V2200531.7113E284
711AFCF0 E9 820B0000 JMP V2200531.711B0877
711AFCF5 A1 10E71F71 MOV EAX,DWORD PTR DS:[711FE710] ; Case 1
711AFCFA 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711AFCFD 0305 10E71F>ADD EAX,DWORD PTR DS:[711FE710]
711AFD03 66:8378 06 >CMP WORD PTR DS:[EAX+6],3
711AFD08 74 05 JE SHORT V2200531.711AFD0F
711AFD0A E8 85C8FFFF CALL V2200531.711AC594
711AFD0F 807D FB 00 CMP BYTE PTR SS:[EBP-5],0
711AFD13 75 0E JNZ SHORT V2200531.711AFD23
711AFD15 83BD 74FFFF>CMP DWORD PTR SS:[EBP-8C],0
711AFD1C 76 05 JBE SHORT V2200531.711AFD23
711AFD1E BE 01000180 MOV ESI,80010001
711AFD23 C645 FB 00 MOV BYTE PTR SS:[EBP-5],0
711AFD27 8B85 1CFFFF>MOV EAX,DWORD PTR SS:[EBP-E4]
711AFD2D 3B45 80 CMP EAX,DWORD PTR SS:[EBP-80]
711AFD30 0F85 810A00>JNZ V2200531.711B07B7
711AFD36 8B85 20FFFF>MOV EAX,DWORD PTR SS:[EBP-E0]
711AFD3C 33D2 XOR EDX,EDX
711AFD3E 52 PUSH EDX
711AFD3F 50 PUSH EAX
711AFD40 8D85 28FEFF>LEA EAX,DWORD PTR SS:[EBP-1D8]
711AFD46 E8 7993F7FF CALL V2200531.711290C4
711AFD4B 8B95 28FEFF>MOV EDX,DWORD PTR SS:[EBP-1D8]
711AFD51 8D8D 2CFEFF>LEA ECX,DWORD PTR SS:[EBP-1D4]
711AFD57 8BC3 MOV EAX,EBX
711AFD59 E8 4EDEF8FF CALL V2200531.7113DBAC
711AFD5E 83BD 2CFEFF>CMP DWORD PTR SS:[EBP-1D4],0
711AFD65 0F84 4C0A00>JE V2200531.711B07B7
711AFD6B 8D85 4CFEFF>LEA EAX,DWORD PTR SS:[EBP-1B4]
711AFD71 50 PUSH EAX
711AFD72 8B85 20FFFF>MOV EAX,DWORD PTR SS:[EBP-E0]
711AFD78 33D2 XOR EDX,EDX
711AFD7A 52 PUSH EDX
711AFD7B 50 PUSH EAX
711AFD7C 8D85 20FEFF>LEA EAX,DWORD PTR SS:[EBP-1E0]
711AFD82 E8 3D93F7FF CALL V2200531.711290C4
711AFD87 8B95 20FEFF>MOV EDX,DWORD PTR SS:[EBP-1E0]
711AFD8D 8D8D 24FEFF>LEA ECX,DWORD PTR SS:[EBP-1DC]
711AFD93 8BC3 MOV EAX,EBX
711AFD95 E8 12DEF8FF CALL V2200531.7113DBAC
711AFD9A 8B85 24FEFF>MOV EAX,DWORD PTR SS:[EBP-1DC]
711AFDA0 E8 CF93F7FF CALL V2200531.71129174
711AFDA5 50 PUSH EAX
711AFDA6 E8 AD72F7FF CALL V2200531.71127058 ; GetThreadContext
711AFDAB 85C0 TEST EAX,EAX
711AFDAD 0F84 040A00>JE V2200531.711B07B7
711AFDB3 81BD 24FFFF>CMP DWORD PTR SS:[EBP-DC],80000003 ; 是否为断点异常
711AFDBD 0F85 410900>JNZ V2200531.711B0704
711AFDC3 33FF XOR EDI,EDI
711AFDC5 A1 B4DF1F71 MOV EAX,DWORD PTR DS:[711FDFB4]
711AFDCA 8338 02 CMP DWORD PTR DS:[EAX],2
711AFDCD 75 11 JNZ SHORT V2200531.711AFDE0
711AFDCF 68 30062071 PUSH V2200531.71200630
711AFDD4 E8 3771F7FF CALL V2200531.71126F10 ; JMP to ntdll.RtlEnterCriticalSection
711AFDD9 33C0 XOR EAX,EAX
711AFDDB E8 20E2FFFF CALL V2200531.711AE000
711AFDE0 8B85 1CFFFF>MOV EAX,DWORD PTR SS:[EBP-E4]
711AFDE6 50 PUSH EAX
711AFDE7 6A 00 PUSH 0
711AFDE9 68 FF0F1F00 PUSH 1F0FFF
711AFDEE E8 7573F7FF CALL V2200531.71127168 ; JMP to kernel32.OpenProcess
711AFDF3 8BF8 MOV EDI,EAX
711AFDF5 A1 B4DF1F71 MOV EAX,DWORD PTR DS:[711FDFB4]
711AFDFA 8338 02 CMP DWORD PTR DS:[EAX],2
711AFDFD 75 11 JNZ SHORT V2200531.711AFE10
711AFDFF 33C0 XOR EAX,EAX
711AFE01 E8 4EE2FFFF CALL V2200531.711AE054
711AFE06 68 30062071 PUSH V2200531.71200630
711AFE0B E8 E872F7FF CALL V2200531.711270F8 ; JMP to ntdll.RtlLeaveCriticalSection
711AFE10 85FF TEST EDI,EDI
711AFE12 ^ 74 B1 JE SHORT V2200531.711AFDC5
711AFE14 85FF TEST EDI,EDI
711AFE16 0F86 E80800>JBE V2200531.711B0704
711AFE1C 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711AFE1F BA 05000000 MOV EDX,5
711AFE24 E8 1750F7FF CALL V2200531.71124E40
711AFE29 33C0 XOR EAX,EAX
711AFE2B 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
711AFE2E 837D F0 05 CMP DWORD PTR SS:[EBP-10],5
711AFE32 73 22 JNB SHORT V2200531.711AFE56
711AFE34 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
711AFE37 50 PUSH EAX
711AFE38 6A 05 PUSH 5
711AFE3A 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711AFE3D E8 CA4EF7FF CALL V2200531.71124D0C
711AFE42 50 PUSH EAX
711AFE43 8B85 30FFFF>MOV EAX,DWORD PTR SS:[EBP-D0]
711AFE49 50 PUSH EAX
711AFE4A 57 PUSH EDI
711AFE4B E8 4073F7FF CALL V2200531.71127190 ; JMP to kernel32.ReadProcessMemory
711AFE50 837D F0 05 CMP DWORD PTR SS:[EBP-10],5
711AFE54 ^ 72 DE JB SHORT V2200531.711AFE34
711AFE56 837D F0 05 CMP DWORD PTR SS:[EBP-10],5
711AFE5A 0F85 9E0800>JNZ V2200531.711B06FE
711AFE60 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711AFE63 E8 A44EF7FF CALL V2200531.71124D0C
711AFE68 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711AFE6B 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711AFE6E 8B00 MOV EAX,DWORD PTR DS:[EAX]
711AFE70 2D CCCCCCCC SUB EAX,CCCCCCCC ; 是否为4个CC
711AFE75 74 1B JE SHORT V2200531.711AFE92
711AFE77 2D 00000034 SUB EAX,34000000 ; 是否为3个CC
711AFE7C 0F84 230200>JE V2200531.711B00A5
711AFE82 2D 00000001 SUB EAX,1000000 ; 是否为4个CC+01
711AFE87 0F84 510500>JE V2200531.711B03DE
711AFE8D E9 6C080000 JMP V2200531.711B06FE
711AFE92 8B85 20FFFF>MOV EAX,DWORD PTR SS:[EBP-E0] ; 4个CC
711AFE98 33D2 XOR EDX,EDX
711AFE9A 52 PUSH EDX
711AFE9B 50 PUSH EAX
711AFE9C 8D85 18FEFF>LEA EAX,DWORD PTR SS:[EBP-1E8]
711AFEA2 E8 1D92F7FF CALL V2200531.711290C4
711AFEA7 8D85 18FEFF>LEA EAX,DWORD PTR SS:[EBP-1E8]
711AFEAD 50 PUSH EAX
711AFEAE 8D8D 14FEFF>LEA ECX,DWORD PTR SS:[EBP-1EC]
711AFEB4 BA 01000000 MOV EDX,1
711AFEB9 B8 26000000 MOV EAX,26
711AFEBE E8 A1C8FFFF CALL V2200531.711AC764
711AFEC3 8B95 14FEFF>MOV EDX,DWORD PTR SS:[EBP-1EC]
711AFEC9 58 POP EAX
711AFECA E8 F54BF7FF CALL V2200531.71124AC4
711AFECF 8B95 18FEFF>MOV EDX,DWORD PTR SS:[EBP-1E8]
711AFED5 8D8D 1CFEFF>LEA ECX,DWORD PTR SS:[EBP-1E4]
711AFEDB 8BC3 MOV EAX,EBX
711AFEDD E8 CADCF8FF CALL V2200531.7113DBAC
711AFEE2 83BD 1CFEFF>CMP DWORD PTR SS:[EBP-1E4],0
711AFEE9 0F84 940100>JE V2200531.711B0083
711AFEEF A1 10E71F71 MOV EAX,DWORD PTR DS:[711FE710]
711AFEF4 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711AFEF7 0305 10E71F>ADD EAX,DWORD PTR DS:[711FE710]
711AFEFD 66:8378 06 >CMP WORD PTR DS:[EAX+6],3
711AFF02 74 05 JE SHORT V2200531.711AFF09
711AFF04 E8 8BC6FFFF CALL V2200531.711AC594
711AFF09 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711AFF0C BA 24000000 MOV EDX,24
711AFF11 E8 2A4FF7FF CALL V2200531.71124E40
711AFF16 8B85 20FFFF>MOV EAX,DWORD PTR SS:[EBP-E0]
711AFF1C 33D2 XOR EDX,EDX
711AFF1E 52 PUSH EDX
711AFF1F 50 PUSH EAX
711AFF20 8D85 0CFEFF>LEA EAX,DWORD PTR SS:[EBP-1F4]
711AFF26 E8 9991F7FF CALL V2200531.711290C4
711AFF2B 8D85 0CFEFF>LEA EAX,DWORD PTR SS:[EBP-1F4]
711AFF31 50 PUSH EAX
711AFF32 8D8D 08FEFF>LEA ECX,DWORD PTR SS:[EBP-1F8]
711AFF38 BA 01000000 MOV EDX,1
711AFF3D B8 26000000 MOV EAX,26
711AFF42 E8 1DC8FFFF CALL V2200531.711AC764
711AFF47 8B95 08FEFF>MOV EDX,DWORD PTR SS:[EBP-1F8]
711AFF4D 58 POP EAX
711AFF4E E8 714BF7FF CALL V2200531.71124AC4
711AFF53 8B95 0CFEFF>MOV EDX,DWORD PTR SS:[EBP-1F4]
711AFF59 8D8D 10FEFF>LEA ECX,DWORD PTR SS:[EBP-1F0]
711AFF5F 8BC3 MOV EAX,EBX
711AFF61 E8 46DCF8FF CALL V2200531.7113DBAC
711AFF66 8B85 10FEFF>MOV EAX,DWORD PTR SS:[EBP-1F0]
711AFF6C E8 0392F7FF CALL V2200531.71129174
711AFF71 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711AFF74 33C0 XOR EAX,EAX
711AFF76 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
711AFF79 837D F0 24 CMP DWORD PTR SS:[EBP-10],24
711AFF7D 73 1F JNB SHORT V2200531.711AFF9E
711AFF7F 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
711AFF82 50 PUSH EAX
711AFF83 6A 24 PUSH 24
711AFF85 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711AFF88 E8 7F4DF7FF CALL V2200531.71124D0C
711AFF8D 50 PUSH EAX
711AFF8E 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711AFF91 50 PUSH EAX
711AFF92 57 PUSH EDI
711AFF93 E8 F871F7FF CALL V2200531.71127190 ; JMP to kernel32.ReadProcessMemory
711AFF98 837D F0 24 CMP DWORD PTR SS:[EBP-10],24
711AFF9C ^ 72 E1 JB SHORT V2200531.711AFF7F
711AFF9E 837D F0 24 CMP DWORD PTR SS:[EBP-10],24
711AFFA2 0F85 560700>JNZ V2200531.711B06FE
711AFFA8 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711AFFAB E8 5C4DF7FF CALL V2200531.71124D0C
711AFFB0 83C0 04 ADD EAX,4
711AFFB3 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711AFFB6 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711AFFB9 8B00 MOV EAX,DWORD PTR DS:[EAX]
711AFFBB 8985 E8FEFF>MOV DWORD PTR SS:[EBP-118],EAX
711AFFC1 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711AFFC4 E8 434DF7FF CALL V2200531.71124D0C
711AFFC9 83C0 08 ADD EAX,8
711AFFCC 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711AFFCF 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711AFFD2 8B00 MOV EAX,DWORD PTR DS:[EAX]
711AFFD4 8985 ECFEFF>MOV DWORD PTR SS:[EBP-114],EAX
711AFFDA 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711AFFDD E8 2A4DF7FF CALL V2200531.71124D0C
711AFFE2 83C0 0C ADD EAX,0C
711AFFE5 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711AFFE8 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711AFFEB 8B00 MOV EAX,DWORD PTR DS:[EAX]
711AFFED 8985 00FFFF>MOV DWORD PTR SS:[EBP-100],EAX
711AFFF3 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711AFFF6 E8 114DF7FF CALL V2200531.71124D0C
711AFFFB 83C0 10 ADD EAX,10
711AFFFE 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711B0001 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B0004 8B00 MOV EAX,DWORD PTR DS:[EAX]
711B0006 8985 10FFFF>MOV DWORD PTR SS:[EBP-F0],EAX
711B000C 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711B000F E8 F84CF7FF CALL V2200531.71124D0C
711B0014 83C0 14 ADD EAX,14
711B0017 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711B001A 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B001D 8B00 MOV EAX,DWORD PTR DS:[EAX]
711B001F 8985 F0FEFF>MOV DWORD PTR SS:[EBP-110],EAX
711B0025 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711B0028 E8 DF4CF7FF CALL V2200531.71124D0C
711B002D 83C0 18 ADD EAX,18
711B0030 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711B0033 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B0036 8B00 MOV EAX,DWORD PTR DS:[EAX]
711B0038 8985 F4FEFF>MOV DWORD PTR SS:[EBP-10C],EAX
711B003E 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711B0041 E8 C64CF7FF CALL V2200531.71124D0C
711B0046 83C0 1C ADD EAX,1C
711B0049 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711B004C 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B004F 8B00 MOV EAX,DWORD PTR DS:[EAX]
711B0051 8985 F8FEFF>MOV DWORD PTR SS:[EBP-108],EAX
711B0057 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711B005A E8 AD4CF7FF CALL V2200531.71124D0C
711B005F 83C0 20 ADD EAX,20
711B0062 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711B0065 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B0068 8B00 MOV EAX,DWORD PTR DS:[EAX]
711B006A 83F0 FF XOR EAX,FFFFFFFF
711B006D 8985 04FFFF>MOV DWORD PTR SS:[EBP-FC],EAX
711B0073 8985 FCFEFF>MOV DWORD PTR SS:[EBP-104],EAX
711B0079 BE 02000100 MOV ESI,10002
711B007E E9 7B060000 JMP V2200531.711B06FE
711B0083 8B85 30FFFF>MOV EAX,DWORD PTR SS:[EBP-D0]
711B0089 83C0 05 ADD EAX,5
711B008C 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
711B008F 0FB652 04 MOVZX EDX,BYTE PTR DS:[EDX+4]
711B0093 03C2 ADD EAX,EDX
711B0095 8985 04FFFF>MOV DWORD PTR SS:[EBP-FC],EAX
711B009B BE 02000100 MOV ESI,10002
711B00A0 E9 59060000 JMP V2200531.711B06FE
711B00A5 A1 10E71F71 MOV EAX,DWORD PTR DS:[711FE710] ; 3个CC
711B00AA 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711B00AD 0305 10E71F>ADD EAX,DWORD PTR DS:[711FE710]
711B00B3 66:8378 06 >CMP WORD PTR DS:[EAX+6],3
711B00B8 74 05 JE SHORT V2200531.711B00BF
711B00BA E8 D5C4FFFF CALL V2200531.711AC594
711B00BF 66:C745 CC >MOV WORD PTR SS:[EBP-34],0FFFF
711B00C5 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711B00C8 BA 18000000 MOV EDX,18
711B00CD E8 6E4DF7FF CALL V2200531.71124E40
711B00D2 33C0 XOR EAX,EAX
711B00D4 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
711B00D7 837D F0 18 CMP DWORD PTR SS:[EBP-10],18
711B00DB 73 22 JNB SHORT V2200531.711B00FF
711B00DD 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
711B00E0 50 PUSH EAX
711B00E1 6A 18 PUSH 18
711B00E3 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711B00E6 E8 214CF7FF CALL V2200531.71124D0C
711B00EB 50 PUSH EAX
711B00EC 8B85 10FFFF>MOV EAX,DWORD PTR SS:[EBP-F0]
711B00F2 50 PUSH EAX
711B00F3 57 PUSH EDI
711B00F4 E8 9770F7FF CALL V2200531.71127190 ; JMP to kernel32.ReadProcessMemory
711B00F9 837D F0 18 CMP DWORD PTR SS:[EBP-10],18
711B00FD ^ 72 DE JB SHORT V2200531.711B00DD
711B00FF 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711B0102 E8 054CF7FF CALL V2200531.71124D0C
711B0107 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711B010A 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B010D 8B00 MOV EAX,DWORD PTR DS:[EAX]
711B010F 8985 00FFFF>MOV DWORD PTR SS:[EBP-100],EAX
711B0115 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B0118 83C0 04 ADD EAX,4
711B011B 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711B011E 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B0121 8B00 MOV EAX,DWORD PTR DS:[EAX]
711B0123 8985 04FFFF>MOV DWORD PTR SS:[EBP-FC],EAX
711B0129 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B012C 83C0 04 ADD EAX,4
711B012F 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711B0132 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B0135 8A00 MOV AL,BYTE PTR DS:[EAX]
711B0137 8845 CF MOV BYTE PTR SS:[EBP-31],AL
711B013A 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B013D 83C0 04 ADD EAX,4
711B0140 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711B0143 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711B0146 E8 B946F7FF CALL V2200531.71124804
711B014B 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B014E 8338 00 CMP DWORD PTR DS:[EAX],0
711B0151 76 7C JBE SHORT V2200531.711B01CF
711B0153 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711B0156 BA 00010000 MOV EDX,100
711B015B E8 E04CF7FF CALL V2200531.71124E40
711B0160 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711B0163 E8 A44BF7FF CALL V2200531.71124D0C
711B0168 BA 00010000 MOV EDX,100
711B016D E8 6E79F7FF CALL V2200531.71127AE0
711B0172 BE 01000000 MOV ESI,1
711B0177 33C0 XOR EAX,EAX
711B0179 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
711B017C 837D F0 01 CMP DWORD PTR SS:[EBP-10],1
711B0180 73 28 JNB SHORT V2200531.711B01AA
711B0182 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
711B0185 50 PUSH EAX
711B0186 6A 01 PUSH 1
711B0188 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711B018B E8 7C4BF7FF CALL V2200531.71124D0C
711B0190 8D4430 FF LEA EAX,DWORD PTR DS:[EAX+ESI-1]
711B0194 50 PUSH EAX
711B0195 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B0198 8B00 MOV EAX,DWORD PTR DS:[EAX]
711B019A 03C6 ADD EAX,ESI
711B019C 48 DEC EAX
711B019D 50 PUSH EAX
711B019E 57 PUSH EDI
711B019F E8 EC6FF7FF CALL V2200531.71127190 ; JMP to kernel32.ReadProcessMemory
711B01A4 837D F0 01 CMP DWORD PTR SS:[EBP-10],1
711B01A8 ^ 72 D8 JB SHORT V2200531.711B0182
711B01AA 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
711B01AD 807C30 FF 0>CMP BYTE PTR DS:[EAX+ESI-1],0
711B01B2 74 09 JE SHORT V2200531.711B01BD
711B01B4 46 INC ESI
711B01B5 81FE 000100>CMP ESI,100
711B01BB ^ 75 BA JNZ SHORT V2200531.711B0177
711B01BD 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
711B01C0 E8 EF4AF7FF CALL V2200531.71124CB4
711B01C5 8BD0 MOV EDX,EAX
711B01C7 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711B01CA E8 2548F7FF CALL V2200531.711249F4
711B01CF 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B01D2 83C0 04 ADD EAX,4
711B01D5 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711B01D8 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
711B01DB E8 2446F7FF CALL V2200531.71124804
711B01E0 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B01E3 8338 00 CMP DWORD PTR DS:[EAX],0
711B01E6 76 7C JBE SHORT V2200531.711B0264
711B01E8 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
711B01EB BA 00010000 MOV EDX,100
711B01F0 E8 4B4CF7FF CALL V2200531.71124E40
711B01F5 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
711B01F8 E8 0F4BF7FF CALL V2200531.71124D0C
711B01FD BA 00010000 MOV EDX,100
711B0202 E8 D978F7FF CALL V2200531.71127AE0
711B0207 BE 01000000 MOV ESI,1
711B020C 33C0 XOR EAX,EAX
711B020E 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
711B0211 837D F0 01 CMP DWORD PTR SS:[EBP-10],1
711B0215 73 28 JNB SHORT V2200531.711B023F
711B0217 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
711B021A 50 PUSH EAX
711B021B 6A 01 PUSH 1
711B021D 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
711B0220 E8 E74AF7FF CALL V2200531.71124D0C
711B0225 8D4430 FF LEA EAX,DWORD PTR DS:[EAX+ESI-1]
711B0229 50 PUSH EAX
711B022A 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B022D 8B00 MOV EAX,DWORD PTR DS:[EAX]
711B022F 03C6 ADD EAX,ESI
711B0231 48 DEC EAX
711B0232 50 PUSH EAX
711B0233 57 PUSH EDI
711B0234 E8 576FF7FF CALL V2200531.71127190 ; JMP to kernel32.ReadProcessMemory
711B0239 837D F0 01 CMP DWORD PTR SS:[EBP-10],1
711B023D ^ 72 D8 JB SHORT V2200531.711B0217
711B023F 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
711B0242 807C30 FF 0>CMP BYTE PTR DS:[EAX+ESI-1],0
711B0247 74 09 JE SHORT V2200531.711B0252
711B0249 46 INC ESI
711B024A 81FE 000100>CMP ESI,100
711B0250 ^ 75 BA JNZ SHORT V2200531.711B020C
711B0252 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
711B0255 E8 5A4AF7FF CALL V2200531.71124CB4
711B025A 8BD0 MOV EDX,EAX
711B025C 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
711B025F E8 9047F7FF CALL V2200531.711249F4
711B0264 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B0267 83C0 04 ADD EAX,4
711B026A 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711B026D 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B0270 F700 FF0000>TEST DWORD PTR DS:[EAX],0FF
711B0276 0F9745 DB SETA BYTE PTR SS:[EBP-25]
711B027A 83BD FCFEFF>CMP DWORD PTR SS:[EBP-104],0
711B0281 0F86 3C0100>JBE V2200531.711B03C3
711B0287 83BD F4FEFF>CMP DWORD PTR SS:[EBP-10C],0
711B028E 0F86 2F0100>JBE V2200531.711B03C3
711B0294 8B85 F4FEFF>MOV EAX,DWORD PTR SS:[EBP-10C]
711B029A 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
711B029D 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
711B02A0 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
711B02A3 E8 984BF7FF CALL V2200531.71124E40
711B02A8 33C0 XOR EAX,EAX
711B02AA 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
711B02AD EB 21 JMP SHORT V2200531.711B02D0
711B02AF 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
711B02B2 50 PUSH EAX
711B02B3 8B85 F4FEFF>MOV EAX,DWORD PTR SS:[EBP-10C]
711B02B9 50 PUSH EAX
711B02BA 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
711B02BD E8 4A4AF7FF CALL V2200531.71124D0C
711B02C2 50 PUSH EAX
711B02C3 8B85 FCFEFF>MOV EAX,DWORD PTR SS:[EBP-104]
711B02C9 50 PUSH EAX
711B02CA 57 PUSH EDI
711B02CB E8 C06EF7FF CALL V2200531.71127190 ; JMP to kernel32.ReadProcessMemory
711B02D0 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
711B02D3 3B85 F4FEFF>CMP EAX,DWORD PTR SS:[EBP-10C]
711B02D9 ^ 72 D4 JB SHORT V2200531.711B02AF
711B02DB 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
711B02DE E8 2145F7FF CALL V2200531.71124804
711B02E3 83BD F8FEFF>CMP DWORD PTR SS:[EBP-108],0
711B02EA 76 7D JBE SHORT V2200531.711B0369
711B02EC 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
711B02EF BA 00010000 MOV EDX,100
711B02F4 E8 474BF7FF CALL V2200531.71124E40
711B02F9 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
711B02FC E8 0B4AF7FF CALL V2200531.71124D0C
711B0301 BA 00010000 MOV EDX,100
711B0306 E8 D577F7FF CALL V2200531.71127AE0
711B030B BE 01000000 MOV ESI,1
711B0310 33C0 XOR EAX,EAX
711B0312 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
711B0315 837D F0 01 CMP DWORD PTR SS:[EBP-10],1
711B0319 73 29 JNB SHORT V2200531.711B0344
711B031B 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
711B031E 50 PUSH EAX
711B031F 6A 01 PUSH 1
711B0321 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
711B0324 E8 E349F7FF CALL V2200531.71124D0C
711B0329 8D4430 FF LEA EAX,DWORD PTR DS:[EAX+ESI-1]
711B032D 50 PUSH EAX
711B032E 8B85 F8FEFF>MOV EAX,DWORD PTR SS:[EBP-108]
711B0334 03C6 ADD EAX,ESI
711B0336 48 DEC EAX
711B0337 50 PUSH EAX
711B0338 57 PUSH EDI
711B0339 E8 526EF7FF CALL V2200531.71127190 ; JMP to kernel32.ReadProcessMemory
711B033E 837D F0 01 CMP DWORD PTR SS:[EBP-10],1
711B0342 ^ 72 D7 JB SHORT V2200531.711B031B
711B0344 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
711B0347 807C30 FF 0>CMP BYTE PTR DS:[EAX+ESI-1],0
711B034C 74 09 JE SHORT V2200531.711B0357
711B034E 46 INC ESI
711B034F 81FE 000100>CMP ESI,100
711B0355 ^ 75 B9 JNZ SHORT V2200531.711B0310
711B0357 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
711B035A E8 5549F7FF CALL V2200531.71124CB4
711B035F 8BD0 MOV EDX,EAX
711B0361 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
711B0364 E8 8B46F7FF CALL V2200531.711249F4
711B0369 8A45 DB MOV AL,BYTE PTR SS:[EBP-25]
711B036C 50 PUSH EAX
711B036D 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
711B0370 50 PUSH EAX
711B0371 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
711B0374 50 PUSH EAX
711B0375 8A45 CF MOV AL,BYTE PTR SS:[EBP-31]
711B0378 50 PUSH EAX
711B0379 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
711B037C E8 8B49F7FF CALL V2200531.71124D0C
711B0381 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]
711B0384 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
711B0387 E8 58EBFFFF CALL V2200531.711AEEE4
711B038C 66:8945 CC MOV WORD PTR SS:[EBP-34],AX
711B0390 33C0 XOR EAX,EAX
711B0392 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
711B0395 EB 21 JMP SHORT V2200531.711B03B8
711B0397 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
711B039A 50 PUSH EAX
711B039B 8B85 F4FEFF>MOV EAX,DWORD PTR SS:[EBP-10C]
711B03A1 50 PUSH EAX
711B03A2 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
711B03A5 E8 6249F7FF CALL V2200531.71124D0C
711B03AA 50 PUSH EAX
711B03AB 8B85 FCFEFF>MOV EAX,DWORD PTR SS:[EBP-104]
711B03B1 50 PUSH EAX
711B03B2 57 PUSH EDI
711B03B3 E8 A86EF7FF CALL V2200531.71127260
711B03B8 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
711B03BB 3B85 F4FEFF>CMP EAX,DWORD PTR SS:[EBP-10C]
711B03C1 ^ 72 D4 JB SHORT V2200531.711B0397
711B03C3 0FB745 CC MOVZX EAX,WORD PTR SS:[EBP-34]
711B03C7 8985 FCFEFF>MOV DWORD PTR SS:[EBP-104],EAX
711B03CD 8385 10FFFF>ADD DWORD PTR SS:[EBP-F0],18
711B03D4 BE 02000100 MOV ESI,10002
711B03D9 E9 20030000 JMP V2200531.711B06FE
711B03DE A1 10E71F71 MOV EAX,DWORD PTR DS:[711FE710] ; 4个CC+01
711B03E3 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
711B03E6 0305 10E71F>ADD EAX,DWORD PTR DS:[711FE710]
711B03EC 66:8378 06 >CMP WORD PTR DS:[EAX+6],3
711B03F1 74 05 JE SHORT V2200531.711B03F8
711B03F3 E8 9CC1FFFF CALL V2200531.711AC594
711B03F8 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711B03FB BA 18000000 MOV EDX,18
711B0400 E8 3B4AF7FF CALL V2200531.71124E40
711B0405 33C0 XOR EAX,EAX
711B0407 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
711B040A 837D F0 18 CMP DWORD PTR SS:[EBP-10],18
711B040E 73 22 JNB SHORT V2200531.711B0432
711B0410 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
711B0413 50 PUSH EAX
711B0414 6A 18 PUSH 18
711B0416 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711B0419 E8 EE48F7FF CALL V2200531.71124D0C
711B041E 50 PUSH EAX
711B041F 8B85 10FFFF>MOV EAX,DWORD PTR SS:[EBP-F0]
711B0425 50 PUSH EAX
711B0426 57 PUSH EDI
711B0427 E8 646DF7FF CALL V2200531.71127190 ; JMP to kernel32.ReadProcessMemory
711B042C 837D F0 18 CMP DWORD PTR SS:[EBP-10],18
711B0430 ^ 72 DE JB SHORT V2200531.711B0410
711B0432 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
711B0435 E8 D248F7FF CALL V2200531.71124D0C
711B043A 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711B043D 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B0440 8B00 MOV EAX,DWORD PTR DS:[EAX]
711B0442 8985 00FFFF>MOV DWORD PTR SS:[EBP-100],EAX
711B0448 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B044B 83C0 04 ADD EAX,4
711B044E 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711B0451 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B0454 8B00 MOV EAX,DWORD PTR DS:[EAX]
711B0456 8985 04FFFF>MOV DWORD PTR SS:[EBP-FC],EAX
711B045C 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B045F 83C0 04 ADD EAX,4
711B0462 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711B0465 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B0468 8A00 MOV AL,BYTE PTR DS:[EAX]
711B046A 8845 CF MOV BYTE PTR SS:[EBP-31],AL
711B046D 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B0470 83C0 04 ADD EAX,4
711B0473 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711B0476 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711B0479 E8 8643F7FF CALL V2200531.71124804
711B047E 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B0481 8338 00 CMP DWORD PTR DS:[EAX],0
711B0484 76 7C JBE SHORT V2200531.711B0502
711B0486 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711B0489 BA 00010000 MOV EDX,100
711B048E E8 AD49F7FF CALL V2200531.71124E40
711B0493 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711B0496 E8 7148F7FF CALL V2200531.71124D0C
711B049B BA 00010000 MOV EDX,100
711B04A0 E8 3B76F7FF CALL V2200531.71127AE0
711B04A5 BE 01000000 MOV ESI,1
711B04AA 33C0 XOR EAX,EAX
711B04AC 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
711B04AF 837D F0 01 CMP DWORD PTR SS:[EBP-10],1
711B04B3 73 28 JNB SHORT V2200531.711B04DD
711B04B5 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
711B04B8 50 PUSH EAX
711B04B9 6A 01 PUSH 1
711B04BB 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711B04BE E8 4948F7FF CALL V2200531.71124D0C
711B04C3 8D4430 FF LEA EAX,DWORD PTR DS:[EAX+ESI-1]
711B04C7 50 PUSH EAX
711B04C8 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B04CB 8B00 MOV EAX,DWORD PTR DS:[EAX]
711B04CD 03C6 ADD EAX,ESI
711B04CF 48 DEC EAX
711B04D0 50 PUSH EAX
711B04D1 57 PUSH EDI
711B04D2 E8 B96CF7FF CALL V2200531.71127190 ; JMP to kernel32.ReadProcessMemory
711B04D7 837D F0 01 CMP DWORD PTR SS:[EBP-10],1
711B04DB ^ 72 D8 JB SHORT V2200531.711B04B5
711B04DD 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
711B04E0 807C30 FF 0>CMP BYTE PTR DS:[EAX+ESI-1],0
711B04E5 74 09 JE SHORT V2200531.711B04F0
711B04E7 46 INC ESI
711B04E8 81FE 000100>CMP ESI,100
711B04EE ^ 75 BA JNZ SHORT V2200531.711B04AA
711B04F0 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
711B04F3 E8 BC47F7FF CALL V2200531.71124CB4
711B04F8 8BD0 MOV EDX,EAX
711B04FA 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
711B04FD E8 F244F7FF CALL V2200531.711249F4
711B0502 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B0505 83C0 04 ADD EAX,4
711B0508 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711B050B 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
711B050E E8 F142F7FF CALL V2200531.71124804
711B0513 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B0516 8338 00 CMP DWORD PTR DS:[EAX],0
711B0519 76 7C JBE SHORT V2200531.711B0597
711B051B 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
711B051E BA 00010000 MOV EDX,100
711B0523 E8 1849F7FF CALL V2200531.71124E40
711B0528 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
711B052B E8 DC47F7FF CALL V2200531.71124D0C
711B0530 BA 00010000 MOV EDX,100
711B0535 E8 A675F7FF CALL V2200531.71127AE0
711B053A BE 01000000 MOV ESI,1
711B053F 33C0 XOR EAX,EAX
711B0541 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
711B0544 837D F0 01 CMP DWORD PTR SS:[EBP-10],1
711B0548 73 28 JNB SHORT V2200531.711B0572
711B054A 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
711B054D 50 PUSH EAX
711B054E 6A 01 PUSH 1
711B0550 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
711B0553 E8 B447F7FF CALL V2200531.71124D0C
711B0558 8D4430 FF LEA EAX,DWORD PTR DS:[EAX+ESI-1]
711B055C 50 PUSH EAX
711B055D 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B0560 8B00 MOV EAX,DWORD PTR DS:[EAX]
711B0562 03C6 ADD EAX,ESI
711B0564 48 DEC EAX
711B0565 50 PUSH EAX
711B0566 57 PUSH EDI
711B0567 E8 246CF7FF CALL V2200531.71127190 ; JMP to kernel32.ReadProcessMemory
711B056C 837D F0 01 CMP DWORD PTR SS:[EBP-10],1
711B0570 ^ 72 D8 JB SHORT V2200531.711B054A
711B0572 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
711B0575 807C30 FF 0>CMP BYTE PTR DS:[EAX+ESI-1],0
711B057A 74 09 JE SHORT V2200531.711B0585
711B057C 46 INC ESI
711B057D 81FE 000100>CMP ESI,100
711B0583 ^ 75 BA JNZ SHORT V2200531.711B053F
711B0585 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
711B0588 E8 2747F7FF CALL V2200531.71124CB4
711B058D 8BD0 MOV EDX,EAX
711B058F 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
711B0592 E8 5D44F7FF CALL V2200531.711249F4
711B0597 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B059A 83C0 04 ADD EAX,4
711B059D 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
711B05A0 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
711B05A3 F700 FF0000>TEST DWORD PTR DS:[EAX],0FF
711B05A9 0F9745 DB SETA BYTE PTR SS:[EBP-25]
711B05AD 83BD FCFEFF>CMP DWORD PTR SS:[EBP-104],0
711B05B4 0F86 380100>JBE V2200531.711B06F2
711B05BA 83BD F4FEFF>CMP DWORD PTR SS:[EBP-10C],0
711B05C1 0F86 2B0100>JBE V2200531.711B06F2
711B05C7 8B85 F4FEFF>MOV EAX,DWORD PTR SS:[EBP-10C]
711B05CD 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
711B05D0 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
711B05D3 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
711B05D6 E8 6548F7FF CALL V2200531.71124E40
711B05DB 33C0 XOR EAX,EAX
711B05DD 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
711B05E0 EB 21 JMP SHORT V2200531.711B0603
711B05E2 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
711B05E5 50 PUSH EAX
711B05E6 8B85 F4FEFF>MOV EAX,DWORD PTR SS:[EBP-10C]
711B05EC 50 PUSH EAX
711B05ED 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
711B05F0 E8 1747F7FF CALL V2200531.71124D0C
711B05F5 50 PUSH EAX
711B05F6 8B85 FCFEFF>MOV EAX,DWORD PTR SS:[EBP-104]
711B05FC 50 PUSH EAX
711B05FD 57 PUSH EDI
711B05FE E8 8D6BF7FF CALL V2200531.71127190 ; JMP to kernel32.ReadProcessMemory
711B0603 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
711B0606 3B85 F4FEFF>CMP EAX,DWORD PTR SS:[EBP-10C]
711B060C ^ 72 D4 JB SHORT V2200531.711B05E2
711B060E 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
711B0611 E8 EE41F7FF CALL V2200531.71124804
711B0616 83BD F8FEFF>CMP DWORD PTR SS:[EBP-108],0
711B061D 76 7D JBE SHORT V2200531.711B069C
711B061F 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
711B0622 BA 00010000 MOV EDX,100
711B0627 E8 1448F7FF CALL V2200531.71124E40
711B062C 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
711B062F E8 D846F7FF CALL V2200531.71124D0C
711B0634 BA 00010000 MOV EDX,100
711B0639 E8 A274F7FF CALL V2200531.71127AE0
711B063E BE 01000000 MOV ESI,1
711B0643 33C0 XOR EAX,EAX
711B0645 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
711B0648 837D F0 01 CMP DWORD PTR SS:[EBP-10],1
711B064C 73 29 JNB SHORT V2200531.711B0677
711B064E 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
711B0651 50 PUSH EAX
711B0652 6A 01 PUSH 1
711B0654 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
711B0657 E8 B046F7FF CALL V2200531.71124D0C
711B065C 8D4430 FF LEA EAX,DWORD PTR DS:[EAX+ESI-1]
711B0660 50 PUSH EAX
711B0661 8B85 F8FEFF>MOV EAX,DWORD PTR SS:[EBP-108]
711B0667 03C6 ADD EAX,ESI
711B0669 48 DEC EAX
711B066A 50 PUSH EAX
711B066B 57 PUSH EDI
711B066C E8 1F6BF7FF CALL V2200531.71127190 ; JMP to kernel32.ReadProcessMemory
711B0671 837D F0 01 CMP DWORD PTR SS:[EBP-10],1
711B0675 ^ 72 D7 JB SHORT V2200531.711B064E
711B0677 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
711B067A 807C30 FF 0>CMP BYTE PTR DS:[EAX+ESI-1],0
711B067F 74 09 JE SHORT V2200531.711B068A
711B0681 46 INC ESI
711B0682 81FE 000100>CMP ESI,100
711B0688 ^ 75 B9 JNZ SHORT V2200531.711B0643
711B068A 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
711B068D E8 2246F7FF CALL V2200531.71124CB4
711B0692 8BD0 MOV EDX,EAX
711B0694 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
711B0697 E8 5843F7FF CALL V2200531.711249F4
711B069C 8A45 DB MOV AL,BYTE PTR SS:[EBP-25]
711B069F 50 PUSH EAX
711B06A0 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
711B06A3 50 PUSH EAX
711B06A4 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
711B06A7 50 PUSH EAX
711B06A8 8A45 CF MOV AL,BYTE PTR SS:[EBP-31]
711B06AB 50 PUSH EAX
711B06AC 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
711B06AF E8 5846F7FF CALL V2200531.71124D0C
711B06B4 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]
711B06B7 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
711B06BA E8 A1E9FFFF CALL V2200531.711AF060
711B06BF 33C0 XOR EAX,EAX
711B06C1 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
711B06C4 EB 21 JMP SHORT V2200531.711B06E7
711B06C6 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
711B06C9 50 PUSH EAX
711B06CA 8B85 F4FEFF>MOV EAX,DWORD PTR SS:[EBP-10C]
711B06D0 50 PUSH EAX
711B06D1 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
711B06D4 E8 3346F7FF CALL V2200531.71124D0C
711B06D9 50 PUSH EAX
711B06DA 8B85 FCFEFF>MOV EAX,DWORD PTR SS:[EBP-104]
711B06E0 50 PUSH EAX
711B06E1 57 PUSH EDI
711B06E2 E8 796BF7FF CALL V2200531.71127260
711B06E7 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
711B06EA 3B85 F4FEFF>CMP EAX,DWORD PTR SS:[EBP-10C]
711B06F0 ^ 72 D4 JB SHORT V2200531.711B06C6
711B06F2 8385 10FFFF>ADD DWORD PTR SS:[EBP-F0],18
711B06F9 BE 02000100 MOV ESI,10002
711B06FE 57 PUSH EDI ; 处理完CC到这里
711B06FF E8 5C67F7FF CALL V2200531.71126E60
711B0704 8B85 0CFFFF>MOV EAX,DWORD PTR SS:[EBP-F4]
711B070A 25 00010000 AND EAX,100
711B070F 3D 00010000 CMP EAX,100
711B0714 74 25 JE SHORT V2200531.711B073B
711B0716 813D 10E71F>CMP DWORD PTR DS:[711FE710],V2200531>; ASCII "MZP"
711B0720 75 2B JNZ SHORT V2200531.711B074D
711B0722 A1 4C062071 MOV EAX,DWORD PTR DS:[7120064C]
711B0727 0305 500620>ADD EAX,DWORD PTR DS:[71200650]
711B072D 0305 540620>ADD EAX,DWORD PTR DS:[71200654]
711B0733 3B05 480620>CMP EAX,DWORD PTR DS:[71200648]
711B0739 74 12 JE SHORT V2200531.711B074D
711B073B B8 FFFFFF7F MOV EAX,7FFFFFFF
711B0740 E8 8728F7FF CALL V2200531.71122FCC
711B0745 8985 04FFFF>MOV DWORD PTR SS:[EBP-FC],EAX
711B074B EB 2A JMP SHORT V2200531.711B0777
711B074D 33C0 XOR EAX,EAX
711B074F 8985 50FEFF>MOV DWORD PTR SS:[EBP-1B0],EAX
711B0755 33C0 XOR EAX,EAX
711B0757 8985 54FEFF>MOV DWORD PTR SS:[EBP-1AC],EAX
711B075D 33C0 XOR EAX,EAX
711B075F 8985 58FEFF>MOV DWORD PTR SS:[EBP-1A8],EAX
711B0765 33C0 XOR EAX,EAX
711B0767 8985 5CFEFF>MOV DWORD PTR SS:[EBP-1A4],EAX
711B076D C785 64FEFF>MOV DWORD PTR SS:[EBP-19C],155
711B0777 8D85 4CFEFF>LEA EAX,DWORD PTR SS:[EBP-1B4]
711B077D 50 PUSH EAX
711B077E 8B85 20FFFF>MOV EAX,DWORD PTR SS:[EBP-E0]
711B0784 33D2 XOR EDX,EDX
711B0786 52 PUSH EDX
711B0787 50 PUSH EAX
711B0788 8D85 00FEFF>LEA EAX,DWORD PTR SS:[EBP-200]
711B078E E8 3189F7FF CALL V2200531.711290C4
711B0793 8B95 00FEFF>MOV EDX,DWORD PTR SS:[EBP-200]
711B0799 8D8D 04FEFF>LEA ECX,DWORD PTR SS:[EBP-1FC]
711B079F 8BC3 MOV EAX,EBX
711B07A1 E8 06D4F8FF CALL V2200531.7113DBAC
711B07A6 8B85 04FEFF>MOV EAX,DWORD PTR SS:[EBP-1FC]
711B07AC E8 C389F7FF CALL V2200531.71129174
711B07B1 50 PUSH EAX
711B07B2 E8 216AF7FF CALL V2200531.711271D8 ; SetThreadContext
711B07B7 8B85 20FFFF>MOV EAX,DWORD PTR SS:[EBP-E0]
711B07BD 33D2 XOR EDX,EDX
711B07BF 52 PUSH EDX
711B07C0 50 PUSH EAX
711B07C1 8D85 FCFDFF>LEA EAX,DWORD PTR SS:[EBP-204]
711B07C7 E8 F888F7FF CALL V2200531.711290C4
711B07CC 8D85 FCFDFF>LEA EAX,DWORD PTR SS:[EBP-204]
711B07D2 50 PUSH EAX
711B07D3 8D8D F8FDFF>LEA ECX,DWORD PTR SS:[EBP-208]
711B07D9 BA 01000000 MOV EDX,1
711B07DE B8 26000000 MOV EAX,26
711B07E3 E8 7CBFFFFF CALL V2200531.711AC764
711B07E8 8B95 F8FDFF>MOV EDX,DWORD PTR SS:[EBP-208]
711B07EE 58 POP EAX
711B07EF E8 D042F7FF CALL V2200531.71124AC4
711B07F4 8B95 FCFDFF>MOV EDX,DWORD PTR SS:[EBP-204]
711B07FA 33C9 XOR ECX,ECX
711B07FC 8BC3 MOV EAX,EBX
711B07FE E8 81DAF8FF CALL V2200531.7113E284
711B0803 EB 72 JMP SHORT V2200531.711B0877
711B0805 8B85 1CFFFF>MOV EAX,DWORD PTR SS:[EBP-E4] ; Case 8
711B080B 3B45 80 CMP EAX,DWORD PTR SS:[EBP-80]
711B080E 75 67 JNZ SHORT V2200531.711B0877
711B0810 8B85 20FFFF>MOV EAX,DWORD PTR SS:[EBP-E0]
711B0816 33D2 XOR EDX,EDX
711B0818 52 PUSH EDX
711B0819 50 PUSH EAX
711B081A 8D85 F4FDFF>LEA EAX,DWORD PTR SS:[EBP-20C]
711B0820 E8 9F88F7FF CALL V2200531.711290C4
711B0825 8D85 F4FDFF>LEA EAX,DWORD PTR SS:[EBP-20C]
711B082B 50 PUSH EAX
711B082C 8D8D F0FDFF>LEA ECX,DWORD PTR SS:[EBP-210]
711B0832 BA 01000000 MOV EDX,1
711B0837 B8 26000000 MOV EAX,26
711B083C E8 23BFFFFF CALL V2200531.711AC764
711B0841 8B95 F0FDFF>MOV EDX,DWORD PTR SS:[EBP-210]
711B0847 58 POP EAX
711B0848 E8 7742F7FF CALL V2200531.71124AC4
711B084D 8B85 F4FDFF>MOV EAX,DWORD PTR SS:[EBP-20C]
711B0853 50 PUSH EAX
711B0854 8B85 24FFFF>MOV EAX,DWORD PTR SS:[EBP-DC]
711B085A 33D2 XOR EDX,EDX
711B085C 52 PUSH EDX
711B085D 50 PUSH EAX
711B085E 8D85 ECFDFF>LEA EAX,DWORD PTR SS:[EBP-214]
711B0864 E8 5B88F7FF CALL V2200531.711290C4
711B0869 8B8D ECFDFF>MOV ECX,DWORD PTR SS:[EBP-214]
711B086F 8BC3 MOV EAX,EBX
711B0871 5A POP EDX
711B0872 E8 0DDAF8FF CALL V2200531.7113E284
711B0877 56 PUSH ESI ; Case 6、7
711B0878 8B85 20FFFF>MOV EAX,DWORD PTR SS:[EBP-E0]
711B087E 50 PUSH EAX
711B087F 8B85 1CFFFF>MOV EAX,DWORD PTR SS:[EBP-E4]
711B0885 50 PUSH EAX
711B0886 E8 E565F7FF CALL V2200531.71126E70 ; JMP to kernel32.ContinueDebugEvent
711B088B 6A FF PUSH -1
711B088D 8D85 18FFFF>LEA EAX,DWORD PTR SS:[EBP-E8]
711B0893 50 PUSH EAX
711B0894 E8 A769F7FF CALL V2200531.71127240 ; JMP to kernel32.WaitForDebugEvent
711B0899 85C0 TEST EAX,EAX
711B089B ^ 0F85 23F3FF>JNZ V2200531.711AFBC4 ; 循环
在711B0886处下条件断点CONTEXT.regEip<004F3000,就可以找到OEP为004C75B0,再用LordPE将整个进程DUMP。
2.修复IAT
通过分析V22005314.EPE可以找到处理IAT的代码:
711E3728 55 PUSH EBP
711E3729 8BEC MOV EBP,ESP
711E372B 83C4 F8 ADD ESP,-8
711E372E 53 PUSH EBX
711E372F 56 PUSH ESI
711E3730 57 PUSH EDI
711E3731 8BF9 MOV EDI,ECX ; ECX为IAT地址
711E3733 8955 FC MOV DWORD PTR SS:[EBP-4],EDX ; EDX为函数地址
711E3736 8BF0 MOV ESI,EAX
711E3738 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
711E373B 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
711E373E 807D 08 00 CMP BYTE PTR SS:[EBP+8],0 ; 是否加密IAT的标志位
711E3742 0F84 85000>JE V2200531.711E37CD ; Magic JMP
711E3748 B8 0F00000>MOV EAX,0F
711E374D E8 1AF0F3F>CALL V2200531.7112276C
711E3752 8BD8 MOV EBX,EAX
711E3754 85DB TEST EBX,EBX
711E3756 74 75 JE SHORT V2200531.711E37CD
711E3758 8B86 68030>MOV EAX,DWORD PTR DS:[ESI+368]
711E375E E8 3D24F4F>CALL V2200531.71125BA0
711E3763 40 INC EAX
711E3764 50 PUSH EAX
711E3765 8D86 68030>LEA EAX,DWORD PTR DS:[ESI+368]
711E376B B9 0100000>MOV ECX,1
711E3770 8B15 ACF61>MOV EDX,DWORD PTR DS:[711DF6AC]
711E3776 E8 E125F4F>CALL V2200531.71125D5C
711E377B 83C4 04 ADD ESP,4
711E377E 8B86 68030>MOV EAX,DWORD PTR DS:[ESI+368]
711E3784 E8 1724F4F>CALL V2200531.71125BA0
711E3789 8B96 68030>MOV EDX,DWORD PTR DS:[ESI+368]
711E378F 895C82 FC MOV DWORD PTR DS:[EDX+EAX*4-4],EBX
711E3793 C603 E8 MOV BYTE PTR DS:[EBX],0E8
711E3796 8BD3 MOV EDX,EBX
711E3798 8BC2 MOV EAX,EDX
711E379A 40 INC EAX
711E379B B9 68C91A7>MOV ECX,V2200531.711AC968
711E37A0 2BC8 SUB ECX,EAX
711E37A2 83E9 04 SUB ECX,4
711E37A5 8908 MOV DWORD PTR DS:[EAX],ECX
711E37A7 C643 05 FF MOV BYTE PTR DS:[EBX+5],0FF
711E37AB C643 06 25 MOV BYTE PTR DS:[EBX+6],25
711E37AF 8BC2 MOV EAX,EDX
711E37B1 83C0 07 ADD EAX,7
711E37B4 8BCA MOV ECX,EDX
711E37B6 83C1 0B ADD ECX,0B
711E37B9 8908 MOV DWORD PTR DS:[EAX],ECX
711E37BB 8BC3 MOV EAX,EBX
711E37BD 83C0 0B ADD EAX,0B
711E37C0 8BCA MOV ECX,EDX
711E37C2 83C1 05 ADD ECX,5
711E37C5 334D FC XOR ECX,DWORD PTR SS:[EBP-4]
711E37C8 8908 MOV DWORD PTR DS:[EAX],ECX
711E37CA 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
711E37CD 85FF TEST EDI,EDI
711E37CF 74 29 JE SHORT V2200531.711E37FA
711E37D1 33D2 XOR EDX,EDX
711E37D3 55 PUSH EBP
711E37D4 68 F0371E7>PUSH V2200531.711E37F0
711E37D9 64:FF32 PUSH DWORD PTR FS:[EDX]
711E37DC 64:8922 MOV DWORD PTR FS:[EDX],ESP
711E37DF 8BC7 MOV EAX,EDI
711E37E1 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
711E37E4 8910 MOV DWORD PTR DS:[EAX],EDX ; 写入函数地址
711E37E6 33C0 XOR EAX,EAX
711E37E8 5A POP EDX
711E37E9 59 POP ECX
711E37EA 59 POP ECX
711E37EB 64:8910 MOV DWORD PTR FS:[EAX],EDX
711E37EE EB 0A JMP SHORT V2200531.711E37FA
711E37F0 - E9 7706F4F>JMP V2200531.71123E6C
711E37F5 E8 DA09F4F>CALL V2200531.711241D4
711E37FA 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
711E37FD 5F POP EDI
711E37FE 5E POP ESI
711E37FF 5B POP EBX
711E3800 59 POP ECX
711E3801 59 POP ECX
711E3802 5D POP EBP
711E3803 C2 0400 RETN 4
修改Magic JMP 就可得到完整的IAT从004CC168至004CC878。
3. 关于Stolen Code
DUMP后的程序有很多被偷的代码,修复起来很麻烦,偶只好把以下4段也DUMP,然后再粘贴在原程序后面,注意每个段映像地址是变化的。
Region00EC0000-00FC0000
Region01380000-013DC000
Region01470000-01474000
Region0155C000-015E0000
4.关于嵌入保护
主程序在开发时嵌入了许多与壳通信的代码,形式如下:
dumped.exe 55 PUSH EBP ; OEP
004C75B1 8BEC MOV EBP,ESP
004C75B3 83C4 F0 ADD ESP,-10
004C75B6 B8 B8734C0>MOV EAX,dumped1_.004C73B8
004C75BB E8 FCF5F3F>CALL dumped.00406BBC
004C75C0 E8 E758CE7>CALL 711ACEAC ; 调用壳解密函数
004C75C5 FF5E A8 CALL FAR FWORD PTR DS:[ESI-58]
004C75C8 9F LAHF
004C75C9 4C DEC ESP
004C75CA 008B 00E80>ADD BYTE PTR DS:[EBX+7E06E800],CL
004C75D0 FA CLI
004C75D1 FFA1 A89F4>JMP NEAR DWORD PTR DS:[ECX+4C9FA8]
004C75D7 8B00 MOV EAX,DWORD PTR DS:[EAX]
004C75D9 C640 5B 00 MOV BYTE PTR DS:[EAX+5B],0
调用解密函数后代码如下:
004C75C6 A1 A89F4C0>MOV EAX,DWORD PTR DS:[4C9FA8] ; 第一个字节由5E变成A1
004C75CB 8B00 MOV EAX,DWORD PTR DS:[EAX]
004C75CD E8 067EFAF>CALL dumped.0046F3D8
004C75D2 A1 A89F4C0>MOV EAX,DWORD PTR DS:[4C9FA8]
004C75D7 8B00 MOV EAX,DWORD PTR DS:[EAX]
004C75D9 C640 5B 00 MOV BYTE PTR DS:[EAX+5B],0
壳解密函数如下:
711ACEB6 8BC0 MOV EAX,EAX
711ACEB8 55 PUSH EBP
711ACEB9 8BEC MOV EBP,ESP
711ACEBB 51 PUSH ECX
711ACEBC 53 PUSH EBX
711ACEBD 68 3006207>PUSH V2200531.71200630
711ACEC2 E8 49A0F7F>CALL V2200531.71126F10 ; JMP to ntdll.RtlEnterCriticalSection
711ACEC7 833D 6C062>CMP DWORD PTR DS:[7120066C],0
711ACECE 74 1C JE SHORT V2200531.711ACEEC
711ACED0 8B1D 6C062>MOV EBX,DWORD PTR DS:[7120066C]
711ACED6 8BC3 MOV EAX,EBX
711ACED8 48 DEC EAX
711ACED9 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
711ACEDC 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
711ACEDF 8030 01 XOR BYTE PTR DS:[EAX],1
711ACEE2 8033 FF XOR BYTE PTR DS:[EBX],0FF
711ACEE5 33C0 XOR EAX,EAX
711ACEE7 A3 6C06207>MOV DWORD PTR DS:[7120066C],EAX
711ACEEC 50 PUSH EAX
711ACEED 8B4424 38 MOV EAX,DWORD PTR SS:[ESP+38] ; 调用壳函数后的返回地址
711ACEF1 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
711ACEF4 40 INC EAX ; 返回地址加1
711ACEF5 894424 38 MOV DWORD PTR SS:[ESP+38],EAX
711ACEF9 58 POP EAX
711ACEFA 8B5D FC MOV EBX,DWORD PTR SS:[EBP-4]
711ACEFD 43 INC EBX
711ACEFE 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
711ACF01 8A00 MOV AL,BYTE PTR DS:[EAX] ; 调用后第一个字节
711ACF03 24 01 AND AL,1 ; 取最后一位
711ACF05 3C 01 CMP AL,1
711ACF07 75 1A JNZ SHORT V2200531.711ACF23 ; 为0则不处理
711ACF09 B8 FF00000>MOV EAX,0FF
711ACF0E E8 B960F7F>CALL V2200531.71122FCC ; 解密运算
711ACF13 24 FE AND AL,0FE
711ACF15 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
711ACF18 8802 MOV BYTE PTR DS:[EDX],AL ; 在调用后返回地址写入一个字节
711ACF1A 8033 FF XOR BYTE PTR DS:[EBX],0FF ; 处理调用后第二个字节
711ACF1D 891D 6C062>MOV DWORD PTR DS:[7120066C],EBX
711ACF23 68 3006207>PUSH V2200531.71200630
711ACF28 E8 CBA1F7F>CALL V2200531.711270F8 ; JMP to ntdll.RtlLeaveCriticalSection
711ACF2D 5B POP EBX
711ACF2E 59 POP ECX
711ACF2F 5D POP EBP
711ACF30 C3 RETN
修复时将CALL 711ACEAC处都NOP掉,如果调用后第一个字节为FE则第二个字节不作修改,否则第二个字节异或FF。 |
|